Enabled authenticators can be configured using configuration file #2217
Conversation
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
CHANGELOG.md
Outdated
| @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ## [Unreleased] | |||
| ### Added | |||
| - Enabled authenticators can now be configured via a configuration file, the | |||
CHANGELOG.md
Outdated
| @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ## [Unreleased] | |||
| ### Added | |||
| - Enabled authenticators can now be configured via a configuration file, the | |||
| CONJUR_AUTHENTICATORS environment variable, or the authenticator allowlist | |||
CHANGELOG.md
Outdated
| @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ## [Unreleased] | |||
| ### Added | |||
| - Enabled authenticators can now be configured via a configuration file, the | |||
There was a problem hiding this comment.
Lists should be surrounded by blank lines
CHANGELOG.md
Outdated
| @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ## [Unreleased] | |||
| ### Added | |||
| - Enabled authenticators can now be configured via a configuration file, the | |||
CHANGELOG.md
Outdated
| @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ## [Unreleased] | |||
| ### Added | |||
| - Enabled authenticators can now be configured via a configuration file, the | |||
| CONJUR_AUTHENTICATORS environment variable, or the authenticator allowlist | |||
h-artzi
changed the title
| def env_enabled_authenticators(env) | ||
| authenticators = env["CONJUR_AUTHENTICATORS"] | ||
| authenticators.present? ? authenticators.split(',') : nil | ||
| def env_enabled_authenticators |
There was a problem hiding this comment.
I would call this configured_authenticators now.
There was a problem hiding this comment.
configured_authenticators is already used
There was a problem hiding this comment.
Hah, okay. In that case (and knowing that we're going to tear out the DB-configured authenticators sooni-ish) I would get rid of this helper method and just build the logic into the enabled_authenticators method.
| authenticators = env["CONJUR_AUTHENTICATORS"] | ||
| authenticators.present? ? authenticators.split(',') : nil | ||
| def env_enabled_authenticators | ||
| authenticators = Conjur::ConjurConfig.new.authenticators.uniq |
There was a problem hiding this comment.
Please use Rails.application.config.conjur_config.authenticators within the application code. It gets loaded once when the app starts instead of loading configuration fresh each time ConjurConfig is instantiated.
| @@ -32,7 +34,7 @@ class ConjurConfig < Anyway::Config | |||
|
|
|||
| # Get attribute sources without including attribute values | |||
| def attribute_sources | |||
| to_source_trace.map { |k,v| [ k.to_sym, v[:source][:type] ] }.to_h | |||
| to_source_trace.map { |k, v| [ k.to_sym, v[:source][:type] ] }.to_h | |||
There was a problem hiding this comment.
Weird, I had it like this originally but CodeClimate complained.
| expect(Conjur::ConjurConfig.new.attribute_sources[:trusted_proxies]). | ||
| to eq(:defaults) | ||
| expect(Conjur::ConjurConfig.new.attribute_sources[:trusted_proxies]) | ||
| .to eq(:defaults) |
There was a problem hiding this comment.
I think we use trailing dots more often than leading so can we change these back?
There was a problem hiding this comment.
@jtuttle Dissenting vote :)
Consider:
Resource
.where(identifier.like("#{AUTHN_RESOURCE_PREFIX}%"))
.where(kind => "webservice")
.select_map(identifier)
.map { |id| id[%r{^conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$}, 1] } # filter out nested status webservice
.compact
.push(::Authentication::Common.default_authenticator_name)leading dot does two things:
- Makes clear at a glance that we're dealing with a continuation (otherwise, if you don't notice the dot at the end of the previous line, it could be a new method call on
self) - Makes cut and paste more ergonomic (otherwise the final item is a special case).
There was a problem hiding this comment.
Yeah this is a whole thing (rubocop/ruby-style-guide#176). There's a reason the ruby style guide doesn't push one way or the other. 😂
- I prefer having my continuation marker at the end of the line. The indentation of subsequent lines is enough of a signal to show that we're dealing with indentation.
- Sure, but this doesn't happen often and isn't that big a deal when you need to fix it.
h-artzi
force-pushed
the
2173-authenticators
branch
2 times, most recently
from
d5e5485
to
394e076
Compare
h-artzi
force-pushed
the
2173-authenticators
branch
from
394e076
to
fb4d465
Compare
CHANGELOG.md
Outdated
| - Enabled authenticators can now be configured via a configuration file, the | ||
| CONJUR_AUTHENTICATORS environment variable, or the authenticator allowlist | ||
| API. | ||
| [cyberark/conjur##2173](https://github.com/cyberark/conjur/issues/#2173) |
There was a problem hiding this comment.
@h-artzi i'm probably missing something but i couldn't find in the code how authenticators can still be enabled by the CONJUR_AUTHENTICATORS environment variable. can you point me to it?
also - i am not sure that the authenticator allowlist API is GA so not sure that it should be in the changelog. @alexkalish wdyt?
There was a problem hiding this comment.
The anyway_config gem takes care of the usage of the environment variable CONJUR_AUTHENTICATORS.
There was a problem hiding this comment.
Yeah, I agree with Oren. Please drop the reference to the API from the message. It's not a GA feature. Otherwise, LGTM!
h-artzi
force-pushed
the
2173-authenticators
branch
2 times, most recently
from
7e58c23
to
2a0b719
Compare
| # Enabling via environment overrides enabling via CLI | ||
| env_enabled_authenticators(env) || db_enabled_authenticators | ||
| authenticators = | ||
| Rails.application.config.conjur_config.authenticators.uniq |
There was a problem hiding this comment.
What do you think about moving the uniq call to the authenticators method in the config? (We may need to create a new method that extends the parent class behaviour). To me, it feels out of place here to "fix-up" config.
There was a problem hiding this comment.
We might also want to strip empty/nil items from the array.
| env_enabled_authenticators(env) || db_enabled_authenticators | ||
| authenticators = | ||
| Rails.application.config.conjur_config.authenticators.uniq | ||
| authenticators.empty? ? db_enabled_authenticators : authenticators |
There was a problem hiding this comment.
I rarely feel like the ternary operator reads well. What do you think about something like:
def enabled_authenticators
Rails.application.config.conjur_config.authenticators.select { |e| !e.to_s.empty? } ||
db_enabled_authenticators
endThere was a problem hiding this comment.
I think I prefer the ternary in this case. Having a negated select that calls several methods on the elements it's selecting hurts my head more than the ternary does. 😄
There was a problem hiding this comment.
Also note that we are hopefully going to tear out db_enabled_authenticators soon-ish so whatever we choose here is going to be a temporary inconvenience.
There was a problem hiding this comment.
I personally think the ternary is clear here, but here's a non-ternary alternative which does the same thing:
authenticators =
Rails.application.config.conjur_config.authenticators.uniq
return authenticators if authenticators
db_enabled_authenticators
| @@ -63,5 +71,13 @@ def trusted_proxies_valid? | |||
| rescue | |||
| false | |||
| end | |||
|
|
|||
| def authenticators_valid? | |||
There was a problem hiding this comment.
What do you think about checking for a valid authenticator (authn-k8s, authn-ldap, authn-oidc, etc.) rather than just the form of a possible authenticator?
h-artzi
force-pushed
the
2173-authenticators
branch
5 times, most recently
from
6ca3e86
to
b6e3840
Compare
| @@ -63,5 +71,18 @@ def trusted_proxies_valid? | |||
| rescue | |||
| false | |||
| end | |||
|
|
|||
| def authenticators_valid? | |||
| # TODO: Ideally we would check against the enabled authenticators | |||
| @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ## [Unreleased] | |||
| ### Added | |||
| - Enabled authenticators can now be configured via a configuration file, or the | |||
There was a problem hiding this comment.
Lists should be surrounded by blank lines
h-artzi
force-pushed
the
2173-authenticators
branch
from
b6e3840
to
92504f7
Compare
lib/conjur/conjur_config.rb
Outdated
| # in the DB. However, we need to figure out how to use code from the | ||
| # application without introducing warnings. | ||
| authenticators_regex = | ||
| %r{^(authn|authn-(k8s|oidc|iam|ldap|gcp|azure|config)(/.+)?)$} |
There was a problem hiding this comment.
You can remove config from here now, right?
There is a ticket that is currently filed in order to understand/address the current behavior of anyway_config gem. palkan/anyway_config#82
h-artzi
force-pushed
the
2173-authenticators
branch
from
92504f7
to
1a00282
Compare
|
Code Climate has analyzed commit 1a00282 and detected 2 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 94.1% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.2%. View more on Code Climate. |
What does this PR do?
Add authenticators to Conjur Config
What ticket does this PR close?
Resolves #2173
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, orAPI Changes